Information security professionals are well aware that fostering security awareness in their organisations is like battling against the elements; it has to be done, but it often seems futile. Yet with one of the world's highest-profile companies recently falling victim to a damaging cyberattack,
In this tip, we'll discuss how organisations can increase security awareness to avoid falling prey to damaging attacks that often reveal sensitive data.
The recent bad weather has caused a huge increase in the number of road accidents as drivers have struggled to cope with icy conditions. Motoring organisations and other concerned agencies issued advice to motorists on how to adapt their driving for the conditions along with additional precautions they should take. Thankfully nobody issued a statement saying that all drivers should change their car to brand X, which has a reputation for better handling. Some cars surely do handle better than others in icy conditions, but the reason there was no such advice is that everyone knows it's the driver, not the car, that's at the root of the problem.
So, what does the weather have to do with security awareness? Well, the recent warnings given to Web users by the German Federal Office for Information Security and Certa, the French government agency that oversees cyber threats, stated that users should find an alternative browser to Internet Explorer following the recent attacks on Google. These attacks were limited and highly targeted, so saying everyone should change browsers is like saying the whole country should change to 4x4s because there's snow in the mountains.
Every browser has security issues, so switching from one to another may mitigate one set of risks, but exposes users to another. This may sound like a controversial viewpoint, but to simply claim IE is inherently less secure than other browsers doesn't reflect the real situation. Yes, a vulnerability in Internet Explorer was one of the vectors used in attacks against Google and other companies, but it required "security-unaware" users to allow the vulnerability to be exploited.
This lack of information security awareness regarding the Internet is the real problem, and the most realistic, long-term solution is to change how people use it, not what they use to access it. Using the Internet is like using a car; the degree of caution a driver exercises depends on the environment in which it's being used. If you're working at an organisation that handles sensitive information, then you need to be more aware of the risks of using the Internet and how to mitigate those risks.
Beefing up information security awareness
To successfully thwart the attack to which Google was vulnerable -- and many other browser-based attacks, for that matter -- a combination of technology and security awareness is the best approach.
Firstly, the only successful attacks against this exploit have involved IE6. A simple (and free) upgrade to IE8 can help companies avoid many phishing and malware attacks. A report by NSS Labs ranked IE8 above other browsers for providing security against phishing and malware.
Secondly, for this type of attack to work, a user has to click a link in an email and visit a malicious website, whereupon a Trojan horse infects the user's PC, allowing the hacker to take control of it. It's vital to ensure users do not to click on links or open attachments in unsolicited emails, no matter how intriguing they may seem.
To be fair though, these attacks used highly sophisticated social engineering techniques, which were precisely targeted and had a specific agenda. They illustrate just why employee information security awareness techniques should be reassessed and brought up to date on an ongoing basis. That entails understanding what methods are being used in the latest attacks and ensuring users are made aware of them. If users know how to recognise and handle the latest phishing and other social engineering attacks, then these types of attack are far less likely to succeed.
The U.K. government's Centre for the Protection of National Infrastructure (CPNI) has not issued any browser warnings, but said it is "monitoring the situation" and will "publish further advice if the risks change."
If it does feel the need to issue advice, I hope it focuses on users' information security awareness and not on their brand of browser. Web browser vulnerabilities and cyberattacks are a fact of Internet life, so more has to be done to ensure people know how to use the Internet safely and not just avoid the latest attack.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.
This was first published in January 2010